Privacy Policy

Objective

To ensure compliance with the Privacy Act 1988, its amendments, and Australian Privacy Principles (APP) which regulates the handling of personal information about individuals.

Application

This policy applies to all staff employed at DFK Benjamin King Money (DFK BKM) and BKM Audit Services including contractors, consultants, temporary staff or other persons who have access to personal information in the course of performing their duties.

Operative Date

This policy is effective as of 24 July 2023.

Policy

As an employer, DFK BKM and BKM Audit Services are obliged to handle personal information according to Federal and State or Territory legislation in order to:

  • Protect clients’ and employees’ entitlement to privacy
  • Promote the responsible and transparent handling of personal information by our firm
  • Prevent privacy law breaches occurring within the workplace.

DFK BKM and BKM Audit Services has adopted the Australian Privacy Principles (APP) contained within the Privacy Act 1998 and all amendments through to the effective date of this policy.

The Australian Privacy Principles cover the following areas:

1. Open and transparent management of personal information

DFK BKM and BKM Audit Services will advise you prior to collecting, storing or reviewing personal information why we require your personal information and how it will be stored.

2. Anonymity and pseudonymity

Whilst under the Privacy Act individuals are permitted to interact with companies by either not identifying themselves or by using a pseudonym. DFK BKM and BKM Audit Services is only obliged to comply with this principle where it is lawful and practicable to do so. To provide our services to you, it will be necessary to identify yourself correctly and provide the necessary details (which may include personal information) to us.

3. Collection of solicited personal information

Personal information will only be collected where necessary. DFK BKM and BKM Audit Services will not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of DFK BKM and BKM Audit Services functions or activities.

4. Dealing with unsolicited personal information

Personal information that is received by DFK BKM and BKM Audit Services is still afforded privacy protection, even if DFK BKM and BKM Audit Services has not solicited the information. Where DFK BKM and BKM Audit Services could not have collected the information in line with the APP policies such information will be securely destroyed.

5. Notification of the collection of personal information

DFK BKM will ensure that an individual is aware of particular requirements at the time of collection of the personal information of the individual. It is required that the individual or client firm will be made aware of how and why personal information is, or will be, collected and how DFK BKM and BKM Audit Services will deal with the personal information.

6. Use or disclosure of personal information

DFK BKM will use or disclose personal information for the primary purpose for which the information was collected. Personal information will only be used or disclosed for secondary purposes, if the relevant individual has consented or is required by law.

7. Direct marketing

DFK BKM and BKM Audit Services may use or disclose personal information to provide information and updates or to promote DFK BKM and BKM Audit Services services directly to individuals. DFK BKM and BKM Audit Services will provide easily accessible ‘opt out’ options for individuals. and BKM Audit Services will not pass on personal information to direct marketing companies or ‘mail houses’.

8. Cross-border disclosure of personal information

Before DFK BKM and BKM Audit Services can disclose personal information outside Australia, and BKM Audit Services will take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Privacy obligations in relation to personal information as set out in this policy document. This would include when using offshore or outsourced workers.

9. Adoption, use, or disclosure of government-related

identifiers DFK BKM and BKM Audit Services will adopt client codes to identify clients internally. Such codes will be alpha/numeric and will not be based on government identifiers (eg Tax File numbers¬).

10. Quality of personal information

DFK BKM and BKM Audit Services will protect the quality of personal information collected, used, or disclosed by DFK BKM and BKM Audit Services employees and clients, and BKM Audit Services will continue to work to improve the consistency of personal information handling practices by our firm and those entities we are required to deal with eg. ATO, ASIC.

11. Security of personal information

DFK BKM will only keep personal information for only as long as is reasonably necessary or to which we are legally obligated to keep. Thorough archiving practices will be used for data held by our firm both for physical and/or electronic documents. Confidential shredding bins are also used throughout the office.

12. Access to personal information

DFK BKM will ensure that individuals have access to personal information that is held about them. Staff and clients will be able to correct the information where it is inaccurate, irrelevant, out-of-date, or incomplete. Clients and employees may request access to confidential information with one working days notice. Personal information that is held offsite may incur a fee to retrieve such data. DFK BKM and BKM Audit Services reserves the right to charge the requesting party for any costs associated with data retrieval.

13. Correction of personal information

DFK BKM will correct personal information if it is inaccurate, irrelevant, out-of-date, or incomplete within two working days of a correction being identified.

Personal Information

It is important to note that the privacy principles only apply to personal information as defined by the Act. The current definition of personal information within the Privacy Act is: personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. (a) whether the information or opinion is true or not; and
  2. (b) whether the information or opinion is recorded in a material form or not.

In more simple terms Personal information, also called personal data, is any information that relates to a specific person. Some of the most obvious examples of personal information include someone’s name, mailing address, email address, phone number, tax file number, and medical records (if they can be used to identify the person). Other examples include information obtained through website queries, onsite video surveillance cameras, and information obtained via telephone calls, email, or other written mechanisms.

The primary purpose of the collection of personal information within our firm is for:

  • Client requirements: we are required to collect, store, and lodge personal information regarding our clients for the purposes of completing our range of services.
  • Recruitment and Employment: a candidate seeking employment with us, will provide personal information via their resume or online application.
  • Supplier and other Stakeholders: we will be required to collect information about a supplier offering our firm services or other billing and banking information
  • Client and business relationship management: for the purposes of marketing and networking with our clients and potential clients.

What is not Personal Data?

Personal data collected and contained in an employee file is exempt from the Act except if it is used for purposes other than employee management or payroll purposes. ie. we may disclose your details for the purposes of booking you into a training course, but could not send your details to a 3rd party for marketing or networking purposes without your permission.

Disclosures

We may disclose your personal information for any of the purposes for which it is primarily held or for a related secondary purpose that you approve. In most cases, we will only disclose information with your consent.

We may disclose your personal information where we are under a legal duty to do so, including circumstances where we are under a lawful duty of care to disclose information. In these cases, we will endeavour to receive timely consent from you, however, this may not always be available. We may disclose your information to a third party.

Access to personal information

Subject to some exceptions that are set out in the Act, you may gain access to personal information that we hold about you. We will refuse access if such access would interfere with the privacy rights of other persons or if it breaches any confidentiality that attaches to that information.

Costs may apply to access information, particularly if it is stored in our offsite archive facility.

If you wish to obtain access to your personal information you should contact our Privacy Officer. You will need to be in a position to verify your identity.

Data Breaches and Notifiable Breaches

A Data Breach occurs when personal information held by the firm is accessed by or disclosed to an unauthorised person. A breach may also occur where information is lost or stolen. A breach is deemed to have occurred regardless of whether the act was on purpose or by error.

Examples may include: Lost or stolen laptops, mobile phones, or other portable means of storing data (USB’s etc). lost or stolen paper records, employees mistakenly providing personal information to the wrong recipient (eg. sending a return to the wrong recipient or uploading documents to the wrong client file), employees providing confidential information to a competitor, where a database has been ‘hacked’ illegally.

In the event of a breach or suspected breach, it should be reported immediately to the Privacy Officer. The Privacy Officer will make an immediate assessment to determine if it is a Notifiable Data Breach or not.

A Notifiable Data Breach occurs when:

There has been an actual data breach; AND

  • A reasonable person would conclude that the unauthorised access or disclosure would likely result in serious harm to the relevant individual or group of individuals; or
  • In the case of loss or theft (whether accidental or not), unauthorised access or disclosure of personal information is likely to result in a data breach and if so would likely result in serious harm to the relevant individual or group of individuals. Such harm may include physical, or mental health and well-being impacts, financial loss or damage to their reputation. Where the firm has been successful in preventing serious harm by taking remedial action if would not be classed as a notifiable data breach. Any likely damage to the firm’s reputation by the resulting disclosure of a notifiable data breach should not be considered in determining whether a notifiable data breach has occurred or not.

Notification to affected individuals

If the firm is aware of a Notifiable Data Breach, the firm will, as soon as is practicable (generally within 30 days), investigate such a breach and those impacted by it. A statement should be prepared outlining the personal information involved in the breach, a description of the breach, and recommendations for the steps individuals or groups of individuals can take to remediate the harm or potential harm.

Where contact is unable to be made with all affected or potentially affected individuals the firm will place details of the notifiable data breach on our website and promote it through social media channels, news articles or advertisements.

Notifiable Data Breaches must also be reported to the Office of the Australian Information Commissioner.

Breach of privacy laws

The Privacy Commissioner has the power to investigate possible interferences with privacy, either on its own initiative or following a complaint by the individual concerned.

When an individual makes a complaint, the Commissioner will generally attempt to resolve the complaint by conciliation between the parties.

The Commissioner also has a range of enforcement powers and other remedies available.

Relevant Legislations

Privacy Act 1988 and it’s amendments.

Inquiries and Complaints

All privacy complaints must be directed to the Firm’s Privacy Officer. All complaints will be resolved confidentially, impartially, and promptly.

DFK BKM and BKM Audit Services will endeavor to ensure any complaint of a systemic/ongoing nature will be addressed immediately and policies put in place to avoid a similar complaint from occurring.

For further information contact us on +61 3 9804 0411 or email reception@dfkbkm.com.au.